Advertised as a MaaS (Malware-as-a-Service) rentable platform, Thanatos had to run on a very large number of infected hosts.

In order to increase the size of the ever growing Thanatos botnet, AlphaLeon needed to find a way to deliver the Trojan to as many users as possible. For this, he devised a plan and later carried it out, researchers said in a post.

His idea consisted of finding and exploiting a vulnerability in the infrastructure of IPS, who offers its IPS Community Suite as a hosted platform, running on AWS (Amazon Web Services) servers.

After establishing a foothold on IPS’ servers, AlphaLeon then intended to access the websites of IPS’ customers and place an exploit kit on their pages, researchers said. The exploit kit would automatically infect site visitors with the Thanatos Trojan by leveraging vulnerabilities in the visitors (outdated) browsers and browser plugins.

IPS customers include large companies such as Evernote, the NHL, the Warner Music Group, Bethesda Softworks, and LiveNation. Besides classic IP.Board forums, IPS also allows customers to set up fully working sites, even e-commerce stores.

His plan stopped short when SurfWatch Labs researchers learned of his intentions while scanning the Dark Web. Researchers contacted IPS, who was unaware of the hacker’s breach, discovered the entry point, and shut down his access. This incident happened at the start of April, and IPS is still in the process of investigating the breach.

According to the most recent Thanatos ads on the Dark Web, the Trojan has now received new updates in the form of add-on modules.